Financial Firms Spending More on Data Protection, but in All the Wrong Places

More U.S. financial sector companies (84%) plan to lift their expenditures for security this year, compared with 78% that raised spending in 2017. Reported data breaches hit 36% of U.S. financial firms, up from 24% a year ago, and nearly two-thirds (65%) of firms report a data breach at some point in the past.

The odd thing is that more of the increased expenditures are being directed to technologies that the financial firms themselves judge to be least effective while more effective technologies are getting less spending. Not only that, only a third of financial firms plan “much higher” spending on data security compared to 46% of U.S. health care firms and 73% of federal government agencies planning much-increased spending.

The data were included in a new report from Thales eSecurity released Wednesday morning. The security firm noted that the financial sector has spent heavily on security since the financial crisis of 2009 and that current spending plans may represent a “maintenance stream of spending rather than an upward step function.”

Ironically, though, financial firms are spending the most on the least effective defenses against a data breach. There are three broad categories of security defenses: network defenses include technologies like encryption that protect data traveling over communications networks; data-at-rest technologies protect data stored in databases, file systems and in the cloud; and endpoint/mobile technologies are designed to protect data at user devices like smartphones and computers.

The firms in the Thales survey ranked network defenses as the most effective method to stop data breaches (89%), followed by data-at-rest defenses (88%) and endpoint/mobile defenses (17%). Yet spending plans are just the opposite: 69% of financial sector firms plan to spend more on endpoint defenses with network defenses getting 67% of spending and data-at-rest defenses getting 58% of the dollars.

Spending on security is driven in large part by privacy mandates like Europe’s GDPR and the recently enacted privacy regulations in the state of California. More than three-quarters of financial firms said that compliance mandates were “very” or “extremely” effective at preventing data breaches. The top compliance technologies are tokenization, which substitutes non-sensitive data for sensitive user data like credit card account numbers (48%), encryption that allows firms to encrypt their data and retain control and management of their encryption keys (46%) and hardware security modules (40%).

Tokenization is an endpoint defense technology, encryption is a network and data-at-rest defense technology and hardware security modules is another mostly endpoint defense although it also strengthens the data-at-rest defense.

Some 85% of U.S. financial firms report storing sensitive data in the cloud, a much higher percentage than the 55% of federal agencies doing the same thing. Attacks on cloud data are a top concern of financial firms due to increased vulnerabilities from shared infrastructure, security breaches at providers and monitoring and deploying multiple cloud-native security tools. Data encryption with local key management is the preferred method for securing data in the cloud.

The Thales report contains additional information on other security issues such as big data, Internet of Things and blockchain, and it is available at the company’s website.